System, method and computer program product for messaging in an on-demand database service

ABSTRACT

In accordance with embodiments, there are provided mechanisms and methods for messaging in an on-demand database service. These mechanisms and methods for messaging in an on-demand database service can enable embodiments to more flexibly message in on-demand database environments. The ability of embodiments to provide such feature may lead to enhanced messaging features which may be used for providing more effective ways of messaging in the context of on-demand databases.

CLAIM OF PRIORITY

This application is a continuation of U.S. application Ser. No.13/797,798, filed Mar. 12, 2013, which is a continuation of U.S.application Ser. No. 12/175,082, filed Jul. 17, 2008, which claims thebenefit of U.S. Provisional Patent Application No. 60/950,831, filedJul. 19, 2007, the entire contents of which are incorporated herein byreference.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

FIELD OF THE INVENTION

The current invention relates generally to database systems, and moreparticularly to messaging in database systems.

BACKGROUND

The subject matter discussed in the background section should not beassumed to be prior art merely as a result of its mention in thebackground section. Similarly, a problem mentioned in the backgroundsection or associated with the subject matter of the background sectionshould not be assumed to have been previously recognized in the priorart. The subject matter in the background section merely representsdifferent approaches, which in and of themselves may also be inventions.

In conventional database systems, users access their data resources inone logical database. A user of such a conventional system typicallyretrieves data from and stores data on the system using the user's ownsystems. A user system might remotely access one of a plurality ofserver systems that might in turn access the database system. Dataretrieval from the system might include the issuance of a query from theuser system to the database system. The database system might processthe request for information received in the query and send to the usersystem information relevant to the request.

There is often a desire to message in the context of such databasesystems. For example, a user of the database system may not have accessto the Internet for messaging. Thus, an alternative mechanism formessaging would be useful to the user.

BRIEF SUMMARY

In accordance with embodiments, there are provided mechanisms andmethods for messaging in an on-demand database service. These mechanismsand methods for messaging in an on-demand database service can enableembodiments to more flexibly message in on-demand database environments.The ability of embodiments to provide such feature may lead to enhancedmessaging features which may be used for providing more effective waysof messaging in the context of on-demand databases.

In an embodiment and by way of example, a method is provided formessaging in an on-demand database service. In use, a message isreceived using an on-demand database service, on behalf of an entity.Additionally, a security criterion retrieved from a portion of anon-demand database limited to information of the entity is applied.Furthermore, a rule for processing the message if the messagesuccessfully meets the security criterion is retrieved.

While the present invention is described with reference to an embodimentin which techniques for messaging in an on-demand database service areimplemented in an application server providing a front end for amulti-tenant database on-demand service, the present invention is notlimited to multi-tenant databases or deployment on application servers.Embodiments may be practiced using other database architectures, i.e.,ORACLE®, DB2® and the like without departing from the scope of theembodiments claimed.

Any of the above embodiments may be used alone or together with oneanother in any combination. Inventions encompassed within thisspecification may also include embodiments that are only partiallymentioned or alluded to or are not mentioned or alluded to at all inthis brief summary or in the abstract. Although various embodiments ofthe invention may have been motivated by various deficiencies with theprior art, which may be discussed or alluded to in one or more places inthe specification, the embodiments of the invention do not necessarilyaddress any of these deficiencies. In other words, different embodimentsof the invention may address different deficiencies that may bediscussed in the specification. Some embodiments may only partiallyaddress some deficiencies or just one deficiency that may be discussedin the specification, and some embodiments may not address any of thesedeficiencies.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a method for messaging in an on-demand database service, inaccordance with one embodiment.

FIG. 2A shows a system for messaging in an on-demand database service,in accordance with another embodiment.

FIG. 2B shows a splash page that may be displayed to an administrator,in accordance with one embodiment.

FIG. 2C shows an interface for establishing rules and security criteriafor messages associated with an entity, in accordance with oneembodiment.

FIG. 2D shows an interface for verifying security criteria used formessaging, in accordance with one embodiment.

FIG. 3A shows a system for messaging in an on-demand database service,in accordance with another embodiment.

FIG. 3B shows an interface for generating an inbound email address, inaccordance with one embodiment.

FIG. 3C shows an interface allowing a user to select rules to implement,in accordance with one embodiment.

FIG. 4 shows a method for processing an inbound message, in accordancewith one embodiment.

FIG. 5 illustrates a block diagram of an example of an environmentwherein an on-demand database service might be used.

FIG. 6 illustrates a block diagram of an embodiment of elements of FIG.5 and various possible interconnections between these elements.

DETAILED DESCRIPTION General Overview

Systems and methods are provided for messaging in an on-demand databaseservice.

There is often a desire to message when using on-demand databasesystems. For example, a user of the database system may not have accessto the internet for messaging. Thus, mechanisms and methods providedherein for messaging in an on-demand database service can enableembodiments to more flexibly message. The ability of embodiments toprovide such feature may lead to enhanced messaging features which maybe used for providing more effective ways of messaging in the context ofon-demand databases.

Next, mechanisms and methods for messaging in an on-demand databaseservice will be described with reference to exemplary embodiments.

FIG. 1 shows a method 100 for messaging in an on-demand databaseservice, in accordance with one embodiment. As shown, a message isreceived at an on-demand database service, on behalf of an entity. Seeoperation 102.

In the context of the present description, an on-demand database servicemay include any service that relies on a database system that isaccessible over a network. In one embodiment, the on-demand databaseservice may include a multi-tenant on-demand database service. In thepresent description, such multi-tenant on-demand database service mayinclude any service that relies on a database system that is accessibleover a network, in which various elements of hardware and software ofthe database system may be shared by one or more customers. Forinstance, a given application server may simultaneously process requestsfor a great number of customers, and a given database table may storerows for a potentially much greater number of customers.

Furthermore, in the context of the present description, an entity refersto any individual, company, or organization, etc. Additionally, themessage may be any type of electronic message. For example, in variousembodiments, the message may include a workflow approval, a mass email,a single email, a notification, a case email, a billing email, aworkflow request, an email to create a new case, a thread to a previousemail, an inquiry, and a customer support email, etc.

In one embodiment, the message may be sent from the entity. Further, themessage may be received at the on-demand database service or by anentity or database via the on-demand database service.

With further reference to FIG. 1, a security criterion retrieved from aportion of an on-demand database limited to information of the entity isapplied. See operation 104. For example, the security criterion may beretrieved from a specific instance of the on-demand database of anon-demand database service provider, the instance being associated withthe entity.

The security criterion may include any type of security criterion. Forexample, in various embodiments, the security criterion may include asender policy framework (SPF) validation, a sender address validation, atransport layer security (TLS) authentication, anti-virus verification,anti-spam verification, etc.

In one embodiment, the security criterion may be managed by theon-demand database service controlling the on-demand database.Furthermore, a rule for processing the message if the messagesuccessfully meets the security criterion is retrieved. See operation106. As an option, the retrieving may include retrieving the rule onbehalf of the entity. For example, the entity may have defined the rulefor processing the message.

In this case, the rule may include any rule or set of rules forprocessing the message. For example, in one embodiment, the rule mayinclude creating a lead in the portion of the on-demand database basedupon information contained in the message. In this case, the lead mayinclude a customer lead.

In another embodiment, the rule may include sending the message to acase stored in the portion of the on-demand database. For example, themessage may be sent to a file associated with information contained inthe message. In still another embodiment, the rule may include creatinga contact in the portion of the on-demand database based uponinformation contained in the message. In yet another embodiment, therule may include invoking a custom code to process the message.

In either case, the message may be processed by applying the retrievedrule. As an option, processing resources used to process the message maybe limited by applying a rate limit to a resource count tracked onbehalf of processing the message. As another option, the rule forprocessing the message may be installed from an application exchangeplatform. Of course, these are options that may or may not beimplemented in various embodiments.

FIG. 2A shows a system 200 for messaging in an on-demand databaseservice, in accordance with another embodiment. As an option, thepresent system 200 may be implemented in the context of thefunctionality of FIG. 1. Of course, however, the system 200 may beimplemented in any desired environment. The aforementioned definitionsmay apply during the present description.

As shown, an administrator may have the ability to enable inboundmessages for an entity. First, the administrator may specify globalpermissions required for inbound message processing. Next, theadministrator may setup new email addresses and activate a new emailaccount linked to a rule (e.g. defined in Apex Code) such that a uniqueemail account is established that may be used to receive inbound emails.It should be noted that several different email addresses may be linkedto the same rule.

In one embodiment, the administrator may access a setup interface forenabling the messaging capability of an organization and to choose whattypes of security/validation criteria to add to the inbound emails. Forexample, the administrator may implement security criteria such as SPFvalidation (e.g. limit to specific domains), sender address validationon a per rule basis, and TLS verification.

The administrator may also determine what rules may be available tousers for creating unique email addresses. For example, theadministrator may allow a user to have full control over rules and thecode that can be applied and executed for processing messages.

In one embodiment, the administrator may first be presented with asplash page, where the administrator may have to agree to enable amessaging feature to proceed. FIG. 2B shows a splash page that may bedisplayed to an administrator, in accordance with one embodiment.

Once the inbound message feature is enabled, the administrator may beable to define a set of inbound mail rules that may be supported by theentity (e.g. supported in an organization) and the security criteria tobe enforced across the set of rules. This may cause an install ofpackages that support these functions from packages that an on-demandservice provider has defined or from packages a customer/partner of theon-demand database service has created.

When enabling a rule for an inbound message, the administrator may alsobe able to choose whether the rule is only allowed to be invoked by amessage from the senders initially established email address. FIG. 2Cshows an interface for establishing rules and security criteria formessages associated with an entity, in accordance with one embodiment.Using this interface, the administrator may view all active rules,versions of application interfaces being used, the number of entitiesusing email addresses linked to the rule, and the security criteriaenabled.

Additionally, the administrator may edit the settings for the entity.For example, the administrator may edit whether the entity uses SPFand/or TLS validation for inbound messages or whether to disable thefeature completely. FIG. 2D shows an interface for verifying securitycriteria used for messaging, in accordance with one embodiment.

FIG. 3A shows a system 300 for messaging in an on-demand databaseservice, in accordance with another embodiment. As an option, thepresent system 300 may be implemented in the context of thefunctionality of FIGS. 1-2. Of course, however, the system 300 may beimplemented in any desired environment. Again, the aforementioneddefinitions may apply during the present description.

As shown, a user may generate an inbound email address. In oneembodiment, the user may be presented with an overview of emailaddresses already enabled. If there are no email addresses, the user mayhave the option to create a new email address.

In this way, users may be able to select from a list of rules and emailaddresses that the administrator may have enabled. The users may selectto use the default rule name or provide a customized local name for thenew email address and/or rule. FIG. 3B shows an interface for generatingan inbound email address, in accordance with one embodiment. FIG. 3Cshows an interface allowing a user to select rules to implement, inaccordance with one embodiment.

In one embodiment, a domain portion of the created address may be of theformat seemingly-random-string.in.salesforce.com. As an option, theseemingly-random-string may be a Base64 encoded string including onlynumbers and letters. This may be accomplished by encrypting a sequenceof 4 random characters used to identify the active user alias for thisfunction, a 12 digit entity ID, a 12 digit user ID, a static qualifierof “in” to represent a generic inbound service email, and a static toplevel email domain representing a domain of the on-demand serviceprovider.

Utilizing such a technique, an address that is difficult for spammers torandomly target may be generated. Moreover, since this may not be ageneral inbox for on-demand database users, users may not be passingthis address out to others for general use. Typically, the user mayforward or copy an email to this address via an address book alias entryor, in some cases, an email may be automatically forwarded to theaddress from another mail system. The user may have the ability toregenerate a user-specific domain if the user believes that the existingdomain has been compromised (e.g. targeted by a spammer).

With further reference to FIG. 3A, mail may be received by a first mailserver 302 and may be forwarded to a second mail server 304 forprocessing. In one embodiment, the first mail server 302 may add headersshowing the success or failure of the security checks such as TLSverification, SPF verification, anti-virus email gateway filterchecking, and anti-SPAM email gateway filter checking. The second mailserver 304 may use information that it obtains to determine what actionsto take based on the headers.

As an option, there may be rate limiting of email flow between the firstmail server 302 and the second mail server 304. In this case, ratelimiting at the entity level for inbound email may be considered.

In one embodiment, the on-demand database provider may implement a newrate limiting that is different than daily limits that are configured byan entity. In this case, there may be a private interface to update thecount for an entity return and the current daily aggregate for theentity. The second mail server 304 may cache these counts until itreaches some configurable limit. The second mail server 304 may thentransmit the update in addition to updating the cache information withthe aggregate returned.

In one embodiment, the second mail server 304 may be responsible forreceiving the inbound mail from the first mail server 302 and forwardingit on to be processed by application programming interface (API) servers306 in the core. FIG. 4 shows a method 400 for processing an inboundmessage, in accordance with one embodiment. As an option, the presentmethod 400 may be implemented in the context of the functionality ofFIGS. 1-3. Of course, however, the method 400 may be carried out in anydesired environment. Further, the aforementioned definitions may applyduring the present description.

As shown, the encoded part of the domain string in a received email isdecoded. See operation 402. If the decoding is unsuccessful, the emailis discarded and the process is exited. The decoded domain substring isthen decrypted to extract an entity or organization ID and a user ID.See operation 404. If the decrypting is unsuccessful, the email isdiscarded and the process is exited.

The rate limiting cache for the entity is then examined. See operation406. If the examination is unsuccessful, the email is discarded and theprocess is exited. A user context is then retrieved to login to the APIservers (e.g. the API servers 306 of FIG. 3A). See operation 408. If theretrieving is unsuccessful, the email is discarded and the process isexited.

The security criteria to be enforced and the location of the web servicebased on the email address are retrieved. See operation 410. If theretrieving is unsuccessful, the email is discarded and the process isexited.

Additional authentication checking is then performed, as enabled by anentity administrator. See operation 412. For example, if an anti-spamcheck is required, which may optionally be automatically enforced forall users, the anti-spam check is performed. If an anti-spam flag hasbeen set by the gateway, the email may be discarded and the process maybe exited.

As another example, if an anti-virus check is required, which mayoptionally be automatically enforced for all users, the anti-virus checkis performed. If an anti-virus flag has been set by the gateway, theemail may be discarded and the process may be exited.

Additionally, if TLS or SPF validation is required, the TLS and/or theSPF validation may be performed. If either the TLS and/or the SPFverification fails, the email may be discarded and the process may beexited.

Once the administrator defined authentication is performed, anyadditional authentication checking enabled by the end user is performed.See operation 414. All unsupported attachment types are then stripped.See operation 416. For example, in one embodiment, the attachment typesmay be limited to VCard and iCal. Once the unsupported attachment typesare stripped, the specified web service to process the email is invoked,passing all supported attachments. See operation 418.

System Overview

FIG. 5 illustrates a block diagram of an environment 510 wherein anon-demand database service might be used. As an option, any of thepreviously described embodiments of the foregoing figures may or may notbe implemented in the context of the environment 510. Environment 510may include user systems 512, network 514, system 516, processor system517, application platform 518, network interface 520, tenant datastorage 522, system data storage 524, program code 526, and processspace 528. In other embodiments, environment 510 may not have all of thecomponents listed and/or may have other elements instead of, or inaddition to, those listed above.

Environment 510 is an environment in which an on-demand database serviceexists. User system 512 may be any machine or system that is used by auser to access a database user system. For example, any of user systems512 can be a handheld computing device, a mobile phone, a laptopcomputer, a work station, and/or a network of computing devices. Asillustrated in FIG. 5 (and in more detail in FIG. 6) user systems 512might interact via a network with an on-demand database service, whichis system 516.

An on-demand database service, such as system 516, is a database systemthat is made available to outside users that do not need to necessarilybe concerned with building and/or maintaining the database system, butinstead may be available for their use when the users need the databasesystem (e.g., on the demand of the users). Some on-demand databaseservices may store information from one or more tenants stored intotables of a common database image to form a mufti-tenant database system(MTS). Accordingly, “on-demand database service 516” and “system 516”will be used interchangeably herein. A database image may include one ormore database objects. A relational database management system (RDMS) orthe equivalent may execute storage and retrieval of information againstthe database object(s). Application platform 518 may be a framework thatallows the applications of system 516 to run, such as the hardwareand/or software, e.g., the operating system. In an embodiment, on-demanddatabase service 516 may include an application platform 518 thatenables creation, managing and executing one or more applicationsdeveloped by the provider of the on-demand database service, usersaccessing the on-demand database service via user systems 512, or thirdparty application developers accessing the on-demand database servicevia user systems 512.

The users of user systems 512 may differ in their respective capacities,and the capacity of a particular user system 512 might be entirelydetermined by permissions (permission levels) for the current user. Forexample, where a salesperson is using a particular user system 512 tointeract with system 516, that user system has the capacities allottedto that salesperson. However, while an administrator is using that usersystem to interact with system 516, that user system has the capacitiesallotted to that administrator. In systems with a hierarchical rolemodel, users at one permission level may have access to applications,data, and database information accessible by a lower permission leveluser, but may not have access to certain applications, databaseinformation, and data accessible by a user at a higher permission level.Thus, different users will have different capabilities with regard toaccessing and modifying application and database information, dependingon a user's security or permission level

Network 514 is any network or combination of networks of devices thatcommunicate with one another. For example, network 514 can be any one orany combination of a LAN (local area network), WAN (wide area network),telephone network, wireless network, point-to-point network, starnetwork, token ring network, hub network, or other appropriateconfiguration. As the most common type of computer network in currentuse is a TCP/IP (Transfer Control Protocol and Internet Protocol)network, such as the global internetwork of networks often referred toas the “Internet” with a capital “I,” that network will be used in manyof the examples herein. However, it should be understood that thenetworks that the present invention might use are not so limited,although TCP/IP is a frequently implemented protocol.

User systems 512 might communicate with system 516 using TCP/IP and, ata higher network level, use other common Internet protocols tocommunicate, such as HTTP, FTP, AFS, WAP, etc. In an example where HTTPis used, user system 512 might include an HTTP client commonly referredto as a “browser” for sending and receiving HTTP messages to and from anHTTP server at system 516. Such an HTTP server might be implemented asthe sole network interface between system 516 and network 514, but othertechniques might be used as well or instead. In some implementations,the interface between system 516 and network 514 includes load sharingfunctionality, such as round-robin HTTP request distributors to balanceloads and distribute incoming HTTP requests evenly over a plurality ofservers. At least as for the users that are accessing that server, eachof the plurality of servers has access to the MTS' data; however, otheralternative configurations may be used instead.

In one embodiment, system 516, shown in FIG. 5, implements a web-basedcustomer relationship management (CRM) system. For example, in oneembodiment, system 516 includes application servers configured toimplement and execute CRM software applications as well as providerelated data, code, forms, webpages and other information to and fromuser systems 512 and to store to, and retrieve from, a database systemrelated data, objects, and Webpage content. With a multi-tenant system,data for multiple tenants may be stored in the same physical databaseobject, however, tenant data typically is arranged so that data of onetenant is kept logically separate from that of other tenants so that onetenant does not have access to another tenant's data, unless such datais expressly shared. In certain embodiments, system 516 implementsapplications other than, or in addition to, a CRM application. Forexample, system 516 may provide tenant access to multiple hosted(standard and custom) applications, including a CRM application. User(or third party developer) applications, which may or may not includeCRM, may be supported by the application platform 518, which managescreation, storage of the applications into one or more database objectsand executing of the applications in a virtual machine in the processspace of the system 516.

One arrangement for elements of system 516 is shown in FIG. 6, includinga network interface 520, application platform 518, tenant data storage522 for tenant data 523, system data storage 524 for system dataaccessible to system 516 and possibly multiple tenants, program code forimplementing various functions of system 516, and a process space 528for executing MTS system processes and tenant-specific processes, suchas running applications as part of an application hosting service.Additional processes that may execute on system 516 include databaseindexing processes.

Several elements in the system shown in FIG. 6 include conventional,well-known elements that are explained only briefly here. For example,each user system 512 could include a desktop personal computer,workstation, laptop, PDA, cell phone, or any wireless access protocol(WAP) enabled device or any other computing device capable ofinterfacing directly or indirectly to the Internet or other networkconnection. User system 512 typically runs an HTTP client, e.g., abrowsing program, such as Microsoft's Internet Explorer browser,Netscape's Navigator browser, Opera's browser, or a WAP-enabled browserin the case of a cell phone, PDA or other wireless device, or the like,allowing a user (e.g., subscriber of the multi-tenant database system)of user system 512 to access, process and view information, pages andapplications available to it from system 516 over network 514. Each usersystem 512 also typically includes one or more user interface devices,such as a keyboard, a mouse, trackball, touch pad, touch screen, pen orthe like, for interacting with a graphical user interface (GUI) providedby the browser on a display' (e.g., a monitor screen, LCD display, etc.)in conjunction with pages, forms, applications and other informationprovided by system 516 or other systems or servers. For example, theuser interface device can be used to access data and applications hostedby system 516, and to perform searches on stored data, and otherwiseallow a user to interact with various GUI pages that may be presented toa user. As discussed above, embodiments are suitable for use with theInternet, which refers to a specific global internetwork of networks.However, it should be understood that other networks can be used insteadof the Internet, such as an intranet, an extranet, a virtual privatenetwork (VPN), a non-TCP/IP based network, any LAN or WAN or the like.

According to one embodiment, each user system 512 and all of itscomponents are operator configurable using applications, such as abrowser, including computer code run using a central processing unitsuch as an Intel Pentium® processor or the like. Similarly, system 516(and additional instances of an MTS, where more than one is present) andall of their components might be operator configurable usingapplication(s) including computer code to run using a central processingunit such as processor system 517, which may include an lintel Pentium®processor or the like, and/or multiple processor units. A computerprogram product embodiment includes a machine-readable storage medium(media) having instructions stored thereon/in which can be used toprogram a computer to perform any of the processes of the embodimentsdescribed herein. Computer code for operating and configuring system 516to intercommunicate and to process webpages, applications and other dataand media content as described herein are preferably downloaded andstored on a hard disk, but the entire program code, or portions thereof,may also be stored in any other volatile or non-volatile memory mediumor device as is well known, such as a ROM or RAM, or provided on anymedia capable of storing program code, such as any type of rotatingmedia including floppy disks, optical discs, digital versatile disk(DVD), compact disk (CD), microdrive, and magneto-optical disks, andmagnetic or optical cards, nanosystems (including molecular memory ICs),or any type of media or device suitable for storing instructions and/ordata. Additionally, the entire program code, or portions thereof, may betransmitted and downloaded from a software source over a transmissionmedium, e.g., over the Internet, or from another server, as is wellknown, or transmitted over any other conventional network connection asis well known (e.g., extranet, VPN, LAN, etc.) using any communicationmedium and protocols (e.g., TCP/IP, HTTP, HTTPS, Ethernet, etc.) as arewell known. It will also be appreciated that computer code forimplementing embodiments of the present invention can be implemented inany programming language that can be executed on a client system and/orserver or server system such as, for example, C, C++, HTML, any othermarkup language, Java™, JavaScript, ActiveX, any other scriptinglanguage, such as VBScript, and many other programming languages as arewell known may be used. (Java™ is a trademark of Sun Microsystems,Inc.).

According to one embodiment, each system 516 is configured to providewebpages, forms, applications, data and media content to user (client)systems 512 to support the access by user systems 512 as tenants ofsystem 516. As such, system 516 provides security mechanisms to keepeach tenant's data separate unless the data is shared. If more than oneMTS is used, they may be located in close proximity to one another(e.g., in a server farm located in a single building or campus), or theymay be distributed at locations remote from one another (e.g., one ormore servers located in city A and one or more servers located in cityB). As used herein, each MTS could include one or more logically and/orphysically connected servers distributed locally or across one or moregeographic locations. Additionally, the term “server” is meant toinclude a computer system, including processing hardware and processspace(s), and an associated storage system and database application(e.g., OODBMS or RDBMS) as is well known in the art. It should also beunderstood that “server system” and “server” are often usedinterchangeably herein. Similarly, the database object described hereincan be implemented as single databases, a distributed database, acollection of distributed databases, a database with redundant online oroffline backups or other redundancies, etc., and might include adistributed database or storage network and associated processingintelligence.

FIG. 6 also illustrates environment 510. However, in FIG. 6 elements ofsystem 516 and various interconnections in an embodiment are furtherillustrated. FIG. 6 shows that user system 512 may include processorsystem 512A, memory system 512B, input system 512C, and output system512D. FIG. 6 shows network 514 and system 516. FIG. 6 also shows thatsystem 516 may include tenant data storage 522, tenant data 523, systemdata storage 524, system data 525. User Interface (UI) 530, ApplicationProgram Interface (API) 632, PL/SOQL 634, save routines 636, applicationsetup mechanism 638, applications servers 600 ₁-600 _(N), system processspace 602, tenant process spaces 604, tenant management process space610, tenant storage area 612, user storage 614, and application metadata616. In other embodiments, environment 510 may not have the sameelements as those listed above and/or may have other elements insteadof, or in addition to, those listed above.

User system 512, network 514, system 516, tenant data storage 522, andsystem data storage 524 were discussed above in FIG. 5. Regarding usersystem 512, processor system 512A may be any combination of one or moreprocessors. Memory system 512B may be any combination of one or morememory devices, short term, and/or long term memory. Input system 512Cmay be any combination of input devices, such as one or more keyboards,mice, trackballs, scanners, cameras, and/or interfaces to networks.Output system 512D may be any combination of output devices, such as oneor more monitors, printers, and/or interfaces to networks. As shown byFIG. 6, system 516 may include a network interface 520 (of FIG. 5)implemented as a set of HTTP application servers 600, an applicationplatform 518, tenant data storage 522, and system data storage 524. Alsoshown is system process space 602, including individual tenant processspaces 604 and a tenant management process space 610. Each applicationserver 600 may be configured to tenant data storage 522 and the tenantdata 523 therein, and system data storage 524 and the system data 525therein to serve requests of user systems 512. The tenant data 523 mightbe divided into individual tenant storage areas 612, which can be eithera physical arrangement and/or a logical arrangement of data. Within eachtenant storage area 612, user storage 614 and application metadata 616might be similarly allocated for each user. For example, a copy of auser's most recently used (MRU) items might be stored to user storage614. Similarly, a copy of MRU items for an entire organization that is atenant might be stored to tenant storage area 612. A UI 630 provides auser interface and an API 632 provides an application programmerinterface to system 516 resident processes to users and/or developers atuser systems 512. The tenant data and the system data may be stored invarious databases, such as one or more Oracle™ databases.

Application platform 518 includes an application setup mechanism 638that supports application developers' creation and management ofapplications, which may be saved as metadata into tenant data storage522 by save routines 636 for execution by subscribers as one or moretenant process spaces 604 managed by tenant management process 610 forexample. Invocations to such applications may be coded using PL/SOQL 634that provides a programming language style interface extension to API632. A detailed description of some PL/SOQL language embodiments isdiscussed in commonly owned U.S. Provisional Patent Application60/828,192 entitled, “PROGRAMMING LANGUAGE METHOD AND SYSTEM FOREXTENDING APIS TO EXECUTE IN CONJUNCTION WITH DATABASE APIS,” by CraigWeissman, filed Oct. 4, 2006, which is incorporated in its entiretyherein for all purposes. Invocations to applications may be detected byone or more system processes, which manage retrieving applicationmetadata 616 for the subscriber making the invocation and executing themetadata as an application in a virtual machine.

Each application server 600 may be communicably coupled to databasesystems, e.g., having access to system data 525 and tenant data 523, viaa different network connection. For example, one application server 600₁ might be coupled via the network 514 (e.g., the Internet), anotherapplication server 600 _(N-1) might be coupled via a direct networklink, and another application server 600 _(N) might be coupled by yet adifferent network connection. Transfer Control Protocol and InternetProtocol (TCP/IP) are typical protocols for communicating betweenapplication servers 600 and the database system. However, it will beapparent to one skilled in the art that other transport protocols may beused to optimize the system depending on the network interconnect used.

In certain embodiments, each application server 600 is configured tohandle requests for any user associated with any organization that is atenant. Because it is desirable to be able to add and remove applicationservers from the server pool at any time for any reason, there ispreferably no server affinity for a user and/or organization to aspecific application server 600. In one embodiment, therefore, aninterface system implementing a load balancing function (e.g., an F5Big-IP load balancer) is communicably coupled between the applicationservers 600 and the user systems 512 to distribute requests to theapplication servers 600. In one embodiment, the load balancer uses aleast connections algorithm to route user requests to the applicationservers 600. Other examples of load balancing algorithms, such as roundrobin and observed response time, also can be used. For example, incertain embodiments, three consecutive requests from the same user couldhit three different application servers 600, and three requests fromdifferent users could hit the same application server 600. In thismanner, system 516 is multi-tenant, wherein system 516 handles storageof, and access to, different objects, data and applications acrossdisparate users and organizations.

As an example of storage, one tenant might be a company that employs asales force where each salesperson uses system 516 to manage their salesprocess. Thus, a user might maintain contact data, leads data, customerfollow-up data, performance data, goals and progress data, etc., allapplicable to that user's personal sales process (e.g., in tenant datastorage 522). In an example of a MTS arrangement, since all of the dataand the applications to access, view, modify, report, transmit,calculate, etc., can be maintained and accessed by a user system havingnothing more than network access, the user can manage his or her salesefforts and cycles from any of many different user systems. For example,if a salesperson is visiting a customer and the customer has Internetaccess in their lobby, the salesperson can obtain critical updates as tothat customer while waiting for the customer to arrive in the lobby.

While each user's data might be separate from other users' dataregardless of the employers of each user, some data might beorganization-wide data shared or accessible by a plurality of users orall of the users for a given organization that is a tenant. Thus, theremight be some data structures managed by system 516 that are allocatedat the tenant level while other data structures might be managed at theuser level. Because an MTS might support multiple tenants includingpossible competitors, the MTS should have security protocols that keepdata, applications, and application use separate. Also, because manytenants may opt for access to an MTS rather than maintain their ownsystem, redundancy, up-time, and backup are additional functions thatmay be implemented in the MTS. In addition to user-specific data andtenant-specific data, system 516 might also maintain system level datausable by multiple tenants or other data. Such system level data mightinclude industry reports, news, postings, and the like that are sharableamong tenants.

In certain embodiments, user systems 512 (which may be client systems)communicate with application servers 600 to request and updatesystem-level and tenant-level data from system 516 that may requiresending one or more queries to tenant data storage 522 and/or systemdata storage 524. System 516 (e.g. an application server 600 in system516) automatically generates one or more SQL statements (e.g. one ormore SQL queries) that are designed to access the desired information.System data storage 524 may generate query plans to access the requesteddata from the database.

Each database can generally be viewed as a collection of objects, suchas a set of logical tables, containing data fitted into predefinedcategories. A “table” is one representation of a data object, and may beused herein to simplify the conceptual description of objects and customobjects according to the present invention. It should be understood that“table” and “object” may be used interchangeably herein. Each tablegenerally contains one or more data categories logically arranged ascolumns or fields in a viewable schema. Each row or record of a tablecontains an instance of data for each category defined by the fields.For example, a CRM database may include a table that describes acustomer with fields for basic contact information such as name,address, phone number, fax number, etc. Another table might describe apurchase order, including fields for information such as customer,product, sale price, date, etc. In some multi-tenant database systems,standard entity tables might be provided for use by all tenants. For CRMdatabase applications, such standard entities might include tables forAccount, Contact, Lead, and Opportunity data, each containingpre-defined fields. It should be understood that the word “entity” mayalso be used interchangeably herein with “object” and “table”.

In some multi-tenant database systems, tenants may be allowed to createand store custom objects, or they may be allowed to customize standardentities or objects, for example by creating custom fields for standardobjects, including custom index fields. U.S. patent application Ser. No.10/817,161, filed Apr. 2, 2004, entitled “CUSTOM ENTITIES AND FIELDS INA MULTI-TENANT DATABASE SYSTEM,” which is hereby incorporated herein byreference, teaches systems and methods for creating custom objects aswell as customizing standard objects in a multi-tenant database system.In certain embodiments, for example, all custom entity data rows arestored in a single multi-tenant physical table, which may containmultiple logical tables per organization. It is transparent to customersthat their multiple “tables” are in fact stored in one large table orthat their data may be stored in the same table as the data of othercustomers.

It should be noted that any of the different embodiments describedherein may or may not be equipped with any one or more of the featuresset forth in one or more of the following published applications:US2003/0233404, titled “OFFLINE SIMULATION OF ONLINE SESSION BETWEENCLIENT AND SERVER,” filed Nov. 4, 2002; US2004/0210909, titled “JAVAOBJECT CACHE SERVER FOR DATABASES,” filed Apr. 17, 2003, now issued U.S.Pat. No. 7,209,929; US2005/0065925, titled “QUERY OPTIMIZATION IN AMULTI-TENANT DATABASE SYSTEM,” filed Sep. 23, 2003; US2005/0223022,titled “CUSTOM ENTITIES AND FIELDS IN A MULTI-TENANT DATABASE SYSTEM,”filed Apr. 2, 2004; US2005/0283478, titled “SOAP-BASED WEB SERVICES IN AMULTI-TENANT DATABASE SYSTEM,” filed Jun. 16, 2004; and/orUS2006/0206834, titled “SYSTEMS AND METHODS FOR IMPLEMENTINGMULTI-APPLICATION TABS AND TAB SETS,” filed Mar. 8, 2005; which are eachincorporated herein by reference in their entirety for all purposes.

While the invention has been described by way of example and in terms ofthe specific embodiments, it is to be understood that the invention isnot limited to the disclosed embodiments. To the contrary, it isintended to cover various modifications and similar arrangements aswould be apparent to those skilled in the art. Therefore, the scope ofthe appended claims should be accorded the broadest interpretation so asto encompass all such modifications and similar arrangements.

1. A non-transitory machine-readable medium carrying one or moresequences of instructions which, when executed by one or moreprocessors, cause the one or more processors to carry out the steps of:receiving a message using an on-demand database service, on behalf of anentity: applying, to the message received on behalf of the entity, asecurity criterion retrieved from a portion of an on-demand databaselimited to information of the entity, where the security criterionincludes validation of an address of a sender of the message; andretrieving a rule for processing the message received on behalf of theentity if the message received on behalf of the entity successfullymeets the security criterion, wherein the rule is linked to the addressof the sender of the message such that the rule is identified forretrieval using the validated address of the sender of the message. 2.The non-transitory machine-readable medium of claim 1, wherein thesecurity criterion includes security criterion managed by the on-demanddatabase service controlling the on-demand database.
 3. Thenon-transitory machine-readable medium of claim 1, wherein theretrieving includes retrieving the rule on behalf of the entity.
 4. Thenon-transitory machine-readable medium of claim 1, further comprisingprocessing the message by applying the rule retrieved.
 5. Thenon-transitory machine-readable medium of claim 4, further comprisinglimiting processing resources used to process the message by applying arate limit to a resource count tracked on behalf of processing themessage.
 6. The non-transitory machine-readable medium of claim 1,further comprising installing the rule for processing the message froman application exchange platform.
 7. The non-transitory machine-readablemedium of claim 1, wherein the message is received at the on-demanddatabase service.
 8. The non-transitory machine-readable medium of claim1, wherein the message includes at least one of a workflow approval, amass email, a single email, a notification, a case email, a billingemail, and a workflow request.
 9. The non-transitory machine-readablemedium of claim 1, wherein the message includes at least one of an emailto create a new case, a thread to a previous email, an inquiry, and acustomer support email.
 10. The non-transitory machine-readable mediumof claim 1, wherein the on-demand database service includes amulti-tenant on-demand database service.
 11. The non-transitorymachine-readable medium of claim 1, wherein the security criterionapplied to the message received on behalf of the entity includes ananti-spam verification.
 12. The non-transitory machine-readable mediumof claim 1, wherein the rule is configured to only be invoked inresponse to the validation of the address of the sender of the messagereceived on behalf of the entity.
 13. A method, comprising: receiving amessage using an on-demand database service, on behalf of an entity;applying, to the message received on behalf of the entity, a securitycriterion retrieved from a portion of an on-demand database limited toinformation of the entity, where the security criterion includesvalidation of an address of a sender of the message; and retrieving arule for processing the message received on behalf of the entity if themessage received on behalf of the entity successfully meets the securitycriterion, wherein the rule is linked to the address of the sender ofthe message such that the rule is identified for retrieval using thevalidated address of the sender of the message.
 14. An apparatus,comprising: a processor; and one or more stored sequences ofinstructions which, when executed by the processor, cause the processorto carry out the steps of: receiving a message using an on-demanddatabase service, on behalf of an entity; applying, to the messagereceived on behalf of the entity, a security criterion retrieved from aportion of an on-demand database limited to information of the entity,where the security criterion includes validation of an address of asender of the message; and retrieving a rule for processing the messagereceived on behalf of the entity if the message received on behalf ofthe entity successfully meets the security criterion, wherein the ruleis linked to the address of the sender of the message such that the ruleis identified for retrieval using the validated address of the sender ofthe message.
 15. A method for transmitting code for use in a an antdatabase system on a transmission medium, the method comprising:transmitting code for receiving a message using an on-demand databaseservice, on behalf of an entity; transmitting code for applying, to themessage received on behalf of the entity, a security criterion retrievedfrom a portion of an on-demand database limited to information of theentity, utilizing a processor, where the security criterion includesvalidation of an address of a sender of the message; and transmittingcode for retrieving a rule for processing the message received on behalfof the entity if the message received on behalf of the entitysuccessfully meets the security criterion, wherein the rule is linked tothe address of the sender of the message such that the rule isidentified for retrieval using the validated address of the sender ofthe message.